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(57) Abstract: A network security system controls access to a resource. A client station provides lor inputting an access request for 
access to a resource via a network, for example the Internet. The access request identifies the user and the resource to be accessed. A 
server holds data regarding users including a contact address for a communications device of the user and is responsive to the access 
request to issue an authentication request to the communications device. A communications device includes a receiver for receiving 
the authentication request from the network resource, a controller operable to invite a user to input a response to the authentication 
request and a transmitter to return the response to the server. The server is further operable to evaluate a received response for 
determining whether the user is permitted to gain access to the resource. Authentication of requests for access to resources via a 
network is provided in a Hexiblc manner using readily available components in a Hexible manner, for example a mobile telephone. 
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B ACKGRODNP OF THE mVENTION 

5 The invention relates to the control of access to a resource via a network. 

Identifying a user over a network, for example over a public network such as the Internet, can be a 
problem where a user wishes to gain access to a resource such as a closed user group and/or to a virtual private 
network via ^e pubUc network. It has been proJ>osed to address this problem in a number of ways. 

Typically, this problem has been solved by providing a security token in the form of a smart card, or some 
10 other piece of special purpose hardware for encrypting and decrypting data. The user has possession of the token 
and additionally some further information that only the user knows, for exanqjle a Personal Identification Number 
(PIN). The token and the PIN can then be used to idmtify the user in some secure way using a secure protocol 
between a client station at which the user is located arid a server. 

However, such a solution requires the client station to have suitable equipment for interfacing widi the 
15 token. For example, a smart card reader must be provideS for iaterfaciag with a smart card, where this is used as 
the token. Although the token may be portable, if it is a spdcial smart card or some other form of special purpose 
hardware, the need for a reader means that this form of soluti6n to the problem is not as flexible as might at first 
seem to be the case. 

Accordingly, an aim of the present invention is to provide an improved method, apparatus and system of 
20 providing secure access to resources via a network. 

SUMMARY OF THE INVENTION 

Particular and preferred aspects of the invention are set out in the accompanying iadependent and 
dependent claims. Combinations of features from the dependent claims may be combined with features of the 

25 independent claitns as appropriate and not merely as e^qplicitly set out in the claims. 

In accordance with one aspect of the invention, there is provided a network access security system. A 
client station provides for inputting an access request for access to a resource via a network, for example the 
Internet, the access request identifying the user. A server holds data regarding users including a contact address for 
a communications device of the user and is responsive to the access request to issue an authentication request to the 

30 communications device. A communications device includes- a receiver for receiving the authentication request 
from the server, a controller operable to invite a user to iaput a response to the authentication request and a 
transmitter to return the response to the server. The server is further operable to evaluate a received response for 
determining whether the user is permitted to gain access to the resource. 

An embodiment of the invention enables authentication of requests for access to resources via a network 

35 using readily available components in a flexible manner. Thus, authentication can be achieved without the use of 
specific hardware of the types required by prior art approaches described above. Where the communications device 
is a mobile (cellular) telephone or the like, the actual device used to provide authentication is portable and can be 
carried by die user. The user can request access to the required resource from any available computer or web 
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access device without needed to carry equipment that he or she would not otherwise carry with him- or herself 
anyway. 

Thus, in an advantageous embodiment, at least one of the receiver and the transmitter includes a wheless 
commimications interface, whereby the communications device is capable of wireless communication. For 
5 example the conmiunications device can be a mobile telephone. 

Where, for example the communications device is a GSM (Global System for Mobiles) compatible device, 
the ownership of the device can be achieved by means of a user identification unit such as Subscriber Identity 
Module (SIM) card. A SIM card holds a unique identification that is registered with a network service provider as 
belonging to a specific user. 

10 In an embodiment of the invention the authentication request messages and/or the response message can 

be in the form of a text message, for example in accordance with the Short Message Service messaging protocol. 

In accordance with another aspect, the invention provides a communications device including a receiver, 
for receiving a resource access authentication request from a server, a controller operable to invite a user to input a 
response to the authentication request and a transmitter to return the response to the server for gaining access to the 

15 resource. 

In accordance with a further aspect, the invention provides a server including a network message interface 
for receiving an access request from a client station for access to a resource, the access request identifying the user, 
a server holding data relating to users including a contact address for a communications device for users, the server 
being responsive to a received access request to issue an authentication request to the communications device of a 
20 user identified in the access request. 

The server can include a directory holding data relating to users including at least a contact address for a 
communications device for the user, and a controller responsive to receipt of an access request to retrieve a contact 
address from the directory for the user and to issue an authentication request to the communications device. 

In an embodiment of the mvention, tiie authentication request is directed via a message service for calling 
25 the communications device of the user. Alternatively, this function can be integral to the server. 

The directory can hold required responses to authentication requests, the controller being operable to 
compare a response from the communications device to a required response to determine whether to permit access 
to the resource. 

In accordance with yet a further aspect of the invention, the invention provides user input equipment for 
30 input of a resource access request and a network interface for issuing an access request to a server for access to a 
network, where the access request identifies the user and the resource to be accessed. 

In accordance with a yet another aspect of the invention, there is provided a method of controlling access 
to a network resource. The method includes a number of steps. In response to input of an access request by a user 
for access to a resource at a network client, an access request is sent to a server, the access request identifying tiie 
35 user. At the server, receipt of die access request causes a unique contact address for a communications device for 
the user identified in the access request to be retrieved and an authentication request to be issued to the 
communications device. At the communications device, on receipt of the authentication request, a user is invited to 
mput a response to the authentication request On input of a response by the user, the response is sent to the server. 
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At the server, the response is evaluated and, in the event a valid response is received, access to the resource is 
allowed. 

In accordance with a further aspect of the invention, there is provided a con^uter program, the computer 
program comprising program instructions for controlling a server: to retrieve, from a directory, a contact address 
5 for a communications device of a user associated with a user identification in a resource access request received 
from a client station; to issue an authentication request to the communications device at the retrieved address; and 
to evaluate a response received from the communications device and to permit access to the requested resource 
only where a valid response is received. The computer program product can be provided on a carrier medium, for 
example a storage medium or a transmission medium. 
10 In accordance with a further aspect of die invention, there is provided a computer program for controlling 

a proactive validation unit in mobile equipment, the computer program comprising program instructions to validate 
an authentication message received from a server, to prompt a user to input a response, to prepare an authentication 
response message and to forward an authentication response message to the server. 

15 DESCRIPTION OF PARTICULAR EMBODIMENTS 

Exemplary embodiments of the present invention will be described hereinafter, by way of example only, 
with reference to the accompanying drawings in which like reference sigas relate to like elements and in which: 

Figure 1 is a schematic overview of a system in accordance with an embodiment of the invention; 

Figure 2 is a flow diagram summarising an exan^le of the operation of tiie system of Figure 1 ; 
20 Figure 3 is schematic overview of a client station of the system of Figure 1 ; 

Figure 4 is a flow diagram summarising an example of the operation of the client station of Figure 3; 

Figure 5 is schematic overview of a server of the system of Figure 1; 

Figure 6 is a flow diagram summarising an example of the operation of the server of Figure 5; 
Figure 7 is schematic overview of a communications device of the system of Figure 1; 
25 Figure 8 is a flow diagram sunnnarising an example of the operation of the communications device of 

Figure 7; 

Figure 9 is schematic overview of apart of an example of a communications device of Figure 7. 

DESCRIPTION OF PARTICULAR EMBODIMENTS 
30 A particular embodiment of the present invention is described hereinafter based on the Internet and a GSM 

(Global System for Mobiles) mobile communication network. It should be understood that the present invention is 
applicable to other computer and communication networks and that the particular embodiment described herein is 
merely one specific implementation. 

Figtne 1 illustrates an overview of an embodiment of the present invention implemented using the Intemet 
35 and a GSM network. An embodiment of the present invention provides secure authentication for a user access to a 
network resource, for example a service provided by a server on the Intemet. 

At a user computer 10 (for example a personal computer (PC)), a user requests access to a resource (for 
example for logging on to a secure website) using software at the client station (for example a Web browser). For 
example, the user can use a Web page relating to a resoiuce to be accessed and enter appropriate login information 
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including, for example, a user identification (user-ID). In response to the user access request, the Web browser 
sends (12) over the Internet an access message including identification of the resource to which the user requires 
access and also the user-ID. The access message is received (16) from the Internet at a server 20. The server 20 
can, for example, be a Web server, 
5 The server 20 includes a directory associated with a resource that can be accessed. The directory includes 

user-IDs and associates a contact address (in the present example a telephone number) for a user with the 
appropriate user-ID. The server 20 tiien causes an SMS (Short Message Service) authentication request to be sent 
(18) over the GSM network 22. The SMS authentication request includes the user-ID and details of the resource 
for which an access request has been received by the server 20. The SMS authentication request is received (24) 

10 via a wireless link at commimications equipment 30. 

In the present instance the communications equipment is mobile equipment in the form of a mobile 
telephone 30 that is owned by the user and includes a proactive SIM card. By a proactive SIM card is meant a SIM 
card that can comprise active software for carrying out pre-programmed tasks. The communications equipment 30 
is configured .to alert the user of receipt of the SMS authentication request and to soHcit from the user entry of a 

15 response. The user enters the response using, for example, a keyboard of the communications equipment 30 and 
the communications equipment is further configured to compose and send (24), via the wireless link, an SMS 
authentication response message. The SMS authentication response message includes the user-ID and at least a 
response field. The SMS authentication response message is received (28) from the GSM network 22 at the server 
20. 

20 As well as containing contact addresses associated with the user-IDs, the directory can also contain an 

identification of an appropriate authentication response ihat is to be expected in reply to the authentication request 
message. Accordingly, the server 20 can evaluate and verify whether the response field of the received 
authentication response corresponds to that expected for the user-ID in question. If a correct response is received, 
then access to the network service requested by the user is permitted, and an appropriate acknowledgement is sent 

25 (32) via the Internet to be received (34) by the user computer 10. If no authentication response is received by the 
server 20 within a predetermined time, or an authentication response as received is invaHd, then an appropriate 
notification of this is sent 32 via the Internet 14 to be received 34 by the user's computer 10. 

Figure 2 is a flow diagram illustrating the main functions performed in operation of the system of Figure 

1. 

30 In step SI, the access request is generated at the computer 10 in response to input from the user. 

In step S2, the access requested generated at the user computer 10 is received by the server 20 and the 
server generates an authentication request message to be sent to the communications equipment 30 of the user. 

At step S3, the conununications equipment 30 of the user receives the authentication request, soHcits a 
response from the user and provides a response message to be sent to the server 20. 
35 At step S4, the server 20 receives the response message and either permits or refuses access to the resource 

identified in the original access request depending on whether a vahd response is provided, or not. 

Figure 3 is a schematic overview of conaponents of the user computer 10. This includes a processor 40 
that is connected to a display 42 for displaying, among other things, a page from a Web Browser 44. The processor 
40 is also connected to storage 46, to user input devices such as a keyboard 48 and a mouse 50 and further to a 
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network interface 52, for example a modem, ISDN terminal adapter or the like. It will be noted that Figure 3 is 
schematic only, and the components of the computer 10 can be arranged in any conventional manner, for example 
with various functional conq>onents connected via a bus (not shown). The network interface 52 is operable to send 
(12) an access request message and to receive (34) a message giving notification as to whether the access request is 
5 granted, or not 

Figure 4 is a flow diagram illustrating operations performed by the user coroputer 10 in an example of 
operation of an embodiment of the invention. 

At step SI 1, the user selects an access request This can be achieved, in a conventional method, by 
selecting an icon on a web page displayed 44 by means of a Web Browser, which icon identifies that the user 
1 0 wishes to request access to a particular resource. In step S12, &e software in the user computer 10 is operable to 
compose an access request message that includes a user-ID for the user concerned and an identification of the 
resource to be accessed. As mentioned above, the user ID can be input by the user as part of a login procedure 
along with, for example, a password. 

In step 813, the access request message is transmitted 12 to the Internet, to be passed to the server 20. 
15 Subsequently, following processing by the server 20, the computer 10 will receive the result of the access 

request at step S14 by means of an appropriate message from the server. 

In step SI 5, the result of the access request will be displayed to the user. This can take the form of 
changing the display to one that includes information resulting firom the requested access. Alternatively, in the 
event that access is refused, an appropriate display can be shown indicating the reasons why access is refused (for 
20 example, that the authentication response given by the user was invalid). 

Figure 5 is a schematic overview of the server 20. As shown in Figure 5, the server 20 concq)Tises a 
number of server components. Thus a World Wide Web (WWW) server 56 is operable to receive (16) the access 
request message from the Internet 14 and to transmit (32) an appropriate message giving notification of the result of 
the access request. The WWW server 56 is connected via a link 58 to an application server 60 tiiat contains logic to 
25 drive the authentication process of the present invention. In particular, the application server 60 is responsive to 

receipt of an access request message via the WWW server 56 to access the directory 64 which contains information 
including the user-ID (UID) 61 and, associated therewith, an appropriate contact addresses (for example telephone 
numbers T#) 63 for the user. In addition, an indication of a valid response (VR) 65 to an authentication request 
message could be included, as well as other data (not represented) relating to the user. 
30 The application server 60 is operable, in response to receipt of an access request message to compose and 

issue an authentication request message that is sent via a link 66 to an Over The Air (OTA) server 68 that provides 
an interface between the server 20 and an element of a GSM network. In the instance shown, the OTA server 68 is 
connected via a link 72 (for example by a digital network such as an X.25 network) to the Short Message Service 
(SMS) Service Centre (SMSSC) of a GSM network provider. The authentication request is sent (18) to the SMSSC 
35 70, which in turn causes a SMS message to be sent via tiie GSM network 22 to the communications equipment 30 
of the user at the contact address identified by the telephone number T#. By including the user-ID in an 
authentication request message, this information can be communicated to the communications equipment 30. The 
authentication message can be encrypted tising any desired encryption protocol; for exanq>le an encryption protocol 
based on PKI or symmetric key encryption. 
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On subsequent receipt of a SMS message providing a response to tiie authentication request the SMSSC 
70 will return (28) the response via 72 to the OTA server 68 which in turn sends the response message via link 66 
to the application server. By including the user-ID in the response message, the apphcation server is able to 
identify the authentication request relating thereto. Moreover, the application server is configured to evaluate the 
5 response received, for example by comparing a specific response field in the response message to a valid response 
VR 65 as held in the directory 64 associated with the user-ID 61. If the response field of the response as received 
corresponds to the valid response, then access can be granted to the resource requested by the user. Otherwise, 
access is refused. 

The application server is configured to return an appropriate result via link 58 to the WWW server 56 to 
10 be passed (32) via the Intemet back to the user computer 10. The result as communicated will either be the 

granting of access, or an indication of why access was refused, depending on whether, or not, a valid response to 
the authentication response is received within a predetermined time. 

The server 20 can be implemented using conventional server equipment comprising appropriate network 
interfaces, one or more processors and appropriate memory. The directory 64 could be configured in any 
15 appropriate manner, for example as a table, as a liok hst, and using any appropriate protocol, for example the 
Lightweight Directory Access Protocol (LDAP). Details of LDAP may be found, for example, in W Yeong, T 
Howes, and S. Kille, "Lightweight Directory Access Protocol", RFC 1777, March 1995. 

Figure 6 is a flow diagram summarising the operation of the server 20. 

In step 821, the access request message is received from the user. The access request message includes 
20 details of the resource to which the user requires access, as well as an identification of the user (UID). 

In step S22, the user is identified from the UID and this is used to identify an appropriate contact address 
in the directory 64 for the generation of an authentication request. 

In step S23, the authentication request message is sent via the GSM network as a SMS message. This 
includes details of flie server, the access request and a request for authentication of tiie access request. The message 
25 can be encrypted, if required, using an appropriate protocol. 

In st^ 824, it is assumed that an authentication response message is received. 

In step 825, the authentication response is verified. The verification can include suitable decryption, if 
required, and checks to see that the response is from the appropriate user and is as expected. This can be achieved 
by comparing the received response to a valid authentication response as held in the directory 64. If the received 
30 authentication response is shown to be valid, access is permitted in step 826 to the resource and an appropriate 

result is sent to the user computer 10. If an invalid response is received, then access is refused at step S27 and an 
appropriate result is sent to the user computer 10. 

Similarly, if no response is received by a given timing (time out 28), access is refused at step 827 to the 
resource and an appropriate result is sent back to the user computer 10. 
35 The operation of the server 20 as described in Figure 6 can be implemented by one or more computer 

programs comprising computer program instmctions tiiat control the operation of one or more processors of the 
server 20. The computer program(s) can be held in memory of the server 20. 

A computer program product comprising the conqsuter program(s) can be supplied on a carrier medium. 
The carrier medium could be a storage mediiun, such as solid state magnetic optical, magneto-optical or other 
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storage medium. The carrier medimn could be a transmission medium such as broadcast, telephonic, computer 
network, wired, wireless, electrical, electromagnetic, optical or indeed any other transmission medium. 

Figure 7 is a schematic block diagram giving an overview of communications equipment 30 in the form of 
a mobile telephone. As shown in Figure 7, an aerial 74 is connected to a radio receiver unit 78 which in turn is 
5 connected to a processing imit 80. The processing unit 80 is also connected to the aerial 74 by a radio transmission 
unit 76. The processing unit and the radio receiving and transmitting unit 78 and 76 could be in^lemented as 
separate integrated circuits, or they could be implemented in a single integrated circuit. The processing unit can 
comprise one or more processors with associated memory and associated circuitry implemented xxsing any 
appropriate technology. For example, it can be implemented as an ASIC. The processing unit 80 also has access to 

10 a chip 92 on a Subscriber Identity Module (SIM) card 90 that is used to validate and activate the communications 
equipment 30. Also shown in Figure 7 is a display 82, a keyboard 84, a loud speaker 86 and a microphone 87. 

The SIM card is a smart card with special applications for use with a GSM network. A SIM card belongs 
to one person that has a contract with a GSM network provider. A SIM belongs to one telephone number in the 
GSM network. The owner of the communication equipment including the SIM card can accept the GSM network 

15 only if the SIM card is in the mobile phone and active. Typically, if it is active, the user will akeady have input a 
PIN (Personal Identification Number) code for the card, which is something he, or she, knows. In this maimer, the 
user is securely identified in the GSM network. If not, then for exaniple the SIM card can be programmed to 
require entry of PIN (or other user validation code) in response to receipt of an authentication request message. 
Access to the GSM network can be achieved everywhere that GSM network reception is possible, and not only with 

20 the network of his or her own provider. In this manner, the user has a secure smart card and a termioal in his or her 
hands. 

Figure 8 is a flow diagram illustrating the basic steps provided in operation of the communications 
equipment 30. 

In step S3 1, the authentication request message is received as a SMS message. 

25 In step 832, the user is alerted on receipt of the authentication request message. In normal operation of a 

GSM telephone, the receipt of a SMS message will be identified by audio and/or visual indication. Thus, the 
telephone may beep and/or a visual indication may be given on the display of the telephone to show that a SMS 
message has been received. The authentication request is forwarded automatically to the proactive SIM card. The 
SIM card selects the right application on the SIM card and performs verification and/or decryption of the received 

30 message. The verification at the SIM card can include, for example, verification that the SMS message has been 
received from a server, the identity of which has been pre-programmed into the SIM card. The SIM card 
application then causes the communications equipment to prompt the user to enter a response to the authentication 
request. This can be, for example, the entry of a single yes or no for accepting or rejecting the authentication 
and/or to enter some other information in the form, for example of a personal identification number PIN. 

35 In step S33, the SIM card can then coir^ose a suitable response message. The response message can 

include the user-ID allowing the server to associate it with the authentication request and, for example, additional 
information such as a PIN and/or a password and/or other information from the SIM card (for example a contract 
number) and/or a predetermined response (e.g., simply a yes or no) entered by the user. 
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In step S34, a SMS response message could then be sent to the server from which the authentication 
request message was received, whereby the response message will pass back to the server 20. 

If the SIM card is provided witii a Subscriber Identity Module Toolkit Application Programming Interface 
(SIMAPI), the operation of the communications equipment 30 can be enhanced to provide any desired degree of 
5 automation of the messaging. Documents provided by the European Telecommunications Standards Institute 
(ETSI) of the SIMAPI can be found, for example, in technical specifications identified as ETSI TS 101 267, V 
7.3.1 (1999-07), ETSI TS 100 977, V 7.4.0 (1999-12), ETSI TS 101 413, V 7.1.0 (1999-07) and ETSI TS 101 476, 
V 7.0.0 (1999-1 1), which documents are available from ETSI, F-06921 Sophia Antipolis, Cedex, France. 

A SIM card application for implementing the program at tide SIM card can be provided on the SIM card 
10 using any programming language operable under the SIMAPI. Such a program performs steps of: validating an 
authentication message from a server, prompting a user to input a response, preparing an authentication response 
message and forwarding an authentication response message to the server. In an example implementation, the SIM 
card application can be implemented using the Java language. Java is a trademark of Sun Microsystems, Inc. 

Figure 9 is a schematic overview of the SIM Toolkit framework provided in accordance with the ETSI 
15 technical specifications mentioned above. A GSM framework 94 comprises a GSM applet and a file systems 

object. It provides a GSM low-level package and a SIM access package that allows applets to access GSM files. A 
toolkit framework 96 provides for applet triggering, command handling, and the installing and uninstalling of 
applets, as well as security management. The applets that may be triggered include toolkit applets 104 and 
application applets 106. Applets may be triggered in response to receipt of a SMS message. Thus, on receipt of a 
20 SMS message, an application applet can be provided for providing processing of authentication messages at the 
communications equipment 30, for example in accordance with the process steps as described with respect to 
Figure 8, 

in smmnary, an embodiment of the present invention allows the user with communications equipment 
such as a GSM mobile telephone, which user has a contract with a communications service provider (e.g., a GSM 

25 network provider) fliat assigns a imique address (e.g., telephone number) to the communications equipment. A 
server is provided with this communications address and links it to a user-ID tiiat is, for example, assigned by the 
server to the user. The communications equipment thus provides a mechanism for receipt of and response to an 
authentication message from the server. 

For example, where the user requests a secure website with his or her user-ID, the server will send an 

30 authentication message (e.g., a SMS message) to the communications address, e.g. a telephone nvimber, associated 
with the user-ID. The communications equipment will receive the authentication request, will request the user to 
accept the authentication request and to return an appropriate response message to the server with confirmation that 
the user accepts the authentication request message. The server will receive the response message and complete the 
login of die user to the secure website, or not, dependent on whether a valid response from the user is received. By 

35 including the user-ID, and possibly also an identification of the resource to be accessed m each message sent, 
related messages can easily be linked to one another. Alternatively, another message format could be used with 
another mechanism (for example a serial number) for identifying related messages. 

An embodiment of tiie invention can be implemented by providing the server with a database that links 
user-IDs to the communications addresses for the user. Readily available communications equipment can be used 
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at the user side. If required, additional information (for example geographic information) can be submitted with the 
response from the commimications equipment to the server. The process can be enhanced through the use of 
cryptographic keys (for example with symmetric keys usiag a challenge response, or witii public keys using 
certificates). 

5 Although a particular embodiment of the invention has been described, it will be appreciated that many 

modifications, additions and substitutions may be made within the spirit and scope of the invention. 

Thus, for example, although the invention has been described in the context of the Internet and a GSM 
network, the invention is not limited thereto and could be implemented over any other network and using any other 
form of additional network for communication with the user. For example, networks using standards other that 

10 GSM are known or planned. Networks that are currently planned for the future include the use of a vahdation 

device that confirms the contract between the user and a service provider. The user can only then get access to the 
network where a valid validation device is present in the equipment. It will be appreciated that the invention can be 
applied in such systems, even where the vahdation device is not a SIM. More generally, communication with the 
user could be via another form of wureless communication network, or by sateUites, networks, iandlines or indeed 

15 any other form of telecommunications network. 

An embodiment of the invention can also be envisioned that is operable whether or not a validation device 
such as a SIM card is provided in the communications equipment. Thus, for example, a message (for example a 
text message such as a SMS message), or an automated voice message, could be sent to the user on his or her 
communications equipment This message could solicit a response from the user to authenticate a resource access 

20 request. The entry of a text or voice response could then be analysed by the server, using text comparison or voice 
recognition technology, to verify that the response corresponds to a predetermined response pre-recorded at the 
server. If the response checks ou^ then access to the resource can be permitted. 

Although an implementation of the invention has been described in the context of a mobile telephone 
forming the user conmiunications equipment, it will be appreciated that other forms of user communications 

25 equipment can be employed. Thus, for example, the conmiunications equipment could be by means of a WAP 

(Web Access Protocol) telephone, by a personal assistant with a communications interface, or indeed by any other 
form of communications equipment that can be addressed directly by the server to solicit a response to an 
authentication message. The use of a different channel for communication with the user than that used for the 
direct web access to verify the access request enhances security of access. 

30 Also, although a manual input is provided by the user, by linking the communications device to the station 

that originated the access request (for example by means of a WAP phone), the whole process can be automated, 
whereby information is passed between the web browser at which access is requested, and a further application 
provided for responding to the autiientication request 
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WHAT IS CLAIMED IS: 

1 . Network access security system comprising: 

a client station for inputting an access request for access to a resource via a network, the access request 
identifying the user and the resource to be accessed; 
5 a server holding data relating to users including a contact address for a communications device for users, 

the server being responsive to a received access request to issue an authentication request to the 
communications device of a user identified in the access request, and 

a said communications device including a receiver for receiving the authentication request from the server, 
a controller operable to invite a response to the authentication request and a transmitter to return the 
10 response to tilie server; 

wherein the server is further operable to evaluate a received response for deter m i n ing whether the user is 
permitted to gain access to the resource. 

2. . The system of claim 1 , wherein at least one of the receiver and the transmitter includes a wireless 
1 5 communications interface. 

3 . The system of claim 2, wherein the communications device is a mobile telephone. 

4. The system of claim 1 , wherein the communications device includes a user identification imit 

20 

5 . The system of claim 4, wherein the xiser identification unit is a SIM card. 

6. The system of claim 5, wherein the communications device is a GSM telephone. 

25 7. The system of claim 1, wherein the authentication request messages is a text message. 

8. The system of claim 1, wherein the response message is a text message. 

9. The system of claim 1, wherein at least one of the authentication message and the response message is a 
30 Short Message Service message. 

10. The system of claim 1, wherein the network is the Internet. 

11. A communications device including a receiver for receiving a resource access authentication request from 
35 a server, a controller operable to invite a response to the authentication request, and a transmitter to retum 

the response to the server. 

12. The device of claim 1 1 , wherein the receiver comprises a wireless signal receiver. 
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13. The device of claim 1 1, wherein the transmitter comprises a wireless signal ttansmitter. 

14. The system of claim 1 1, wherein the communicatioiis device is a mobile telephone. 
5 15. The system of claim 1 1, wherein the communications device includes a user identification unit. 

1 6. The system of claim 1 5^ wherein die user identification unit is a SIM card. 

17. Hie system of claim 16, wherein die communications device is a GSM telephone. 

1 8. The system of claim 1 1 , wherein the authentication request messages is a text message. 

19. The system of claim 1 1, wherein the response message is a text message. 

1 5 20. The system of claim 11, wherein at least one of the authentication message and the response message is a 
Short Message Service message. 

21 . A server including a network message interface for receiving an access request fiom a chent station for 
access to a resource, the access request identifying the user, a server holding data relating to users 

20 including at least a contact address for a communications device for users, the server being responsive to a 

received access request to issue an authentication request to Hie communications device of a user identified 
in the access request 

22. The server of claim 21, comprising a directory holding the data relating to users, and a controller 

25 responsive to receipt of an access request to retrieve a contact address from the directory for the user and 

to issue an authentication request to the communications device. 

23. The server of claun 2 1 , wherein the authentication request is directed via a message service for calling the 
communications device of the user. 

30 

24. The server of claim 21, wherein the directory holds required responses to authentication requests, the 
controller being operable to evaluate a response received from the conmnmications device to determine 
whether to permit access to the resource. 

35 25. The server of claim 21, wherein the network is the Internet. 

26. A network client conq^rising user input equipment for input of a resource access request, a mechanism for 
con^osing an access request identifying the user and the resource to be accessed, and a network interface 
for issuing an access request to a server for access to a network. 
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27. A method of controlling access to a network resource, comprising: 

in response to the input of an access request by a user for access to a resource at a network client, issuing 
an access request to a server, tiie access request identifying the user and the resource to be accessed; 
at the server, responding to receipt of the access request to retrieve a contact address for a conununications 
5 device for the user identified in the access request to issue an authentication request to the coromunications 

device; 

at flie communications device, responding to receipt of the authentication request to invite a response to 
the audientication request and transnaitting the response to the server; and 

at tiie server, evaluating the response and, in die event of a vahd response, permitting access to the 
10 resource. 

28. The method of claim 27, communications device is a device for wireless communication. 

29. The method of claim 28, wherein the communications device is a mobile telephone. 

15 

30. The method of claim 29, comprising, at the communications device, extracting user information from a 
user identification unit. 

3 1 . The method of claim 30, wherein the user identification unit is a SIM card. 

20 

32. The method of claim 31, wherein mobile telephone is a GSM telephone. 

33. Hie method of claim 27, wherein the authentication request messages is a text message. 

25 34. The method of claim 27, whereiu the response message is a text message iuput by a user via liie mobile 
telephone. 

35. The method of claim 27, wherein at least one of the authentication message and the response message is a 
Short Message Service message. 



30 



36. The method of claim 27, wherein the network is the Internet. 



37. A computer program product on a carrier medium, the computer program product comprising program 
instructions for controlling a server: 
35 to determine a contact address for a communications device of a user associated with a user identification 

in a resource access request received from a client station; 

to issue an authentication request to the communications device at the retrieved address; 

to evaluate a response received from the communications device and to peraiit access to the requested 

resource only where a valid response is received, 

12 



BNSDOCID: <WO 0180525A1_L> 



wo 01/80525 PCTAJSOl/05261 

38. A computer program product on a carrier medium for controUmg a proactive validation unit in mobile 

equipment, the computer program comprising program instructioiLS to validate an authentication message 
received firom a server, to prompt a user to input a response, to prepare an autilientication response message 
and to forward an authentication response message to the server. 
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